OpenWRT: Microsoft Azure to Cloudera CDH via VPN Gateway
Configuring StrongSwan on Asus Merlin Firmware (not working)
Unfortunately, I didn't have luck with DD-WRT but I certainly thought I would have luck with the Asus Merlin software. The final configuration I tried with Asus Merlin is shown below. Unfortunately, I never ended up establishing a successful connection to my Azure account after quite some time of trial and error. This is due to the same issue as above however much fewer modules existed on the Asus Merlin firmware vs DD-WRT or OpenWRT unfortunately. This is NOT to say another IPSec Asus Merlin implementation won't work in other situations. YMMV.
The solution assumes the topology shown above. 100.100.100.100 represents the Azure VPN Gateway IP. :123.123.123.123 represents the on-prem gateway IP.
StrongSwan ipsec configuration.
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc# cat ipsec.conf
# ipsec.conf – strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default
# dpdaction=none
dpdaction=clear
keyexchange=ikev2
forceencaps=yes
fragmentation=yes
keylife=3600s
ikelifetime=28800s
rekey=yes
rekeymargin=3m
keyingtries=1
mobike=no
lifebytes=102400000
type=tunnel
auto=start
authby=secret
ike=aes256-sha1-modp1024
esp=aes256-sha1
conn remote-to-asus
left=192.168.0.6
leftid=123.123.123.123
right=192.168.0.16
conn asus-to-remote
left=192.168.0.16
leftid=100.100.100.100
right=192.168.0.6
rightid=192.168.0.16
conn azure-s2s
# ———-
# LEFT
# ———-
# left=123.123.123.123 # IP address of your on-premises gateway
left=192.168.0.16 # IP address of your on-premises gateway
leftsubnet=192.168.0.0/24,10.0.0.0/24,10.1.0.0/24,10.2.0.0/24,10.3.0.0/24 # Home LAB – Local
leftfirewall=yes
# leftsubnet=0.0.0.0/0
# ———-
# RIGHT
# ———-
right=100.100.100.100 # Remote VPN gateway IP address
# right=%any
# rightid=%any
rightsubnet=10.10.0.0/24,10.10.10.0/24,10.10.20.0/24,10.10.30.0/24 # Remote network subnet defined in public cloud
# rightsubnet=0.0.0.0/0
rightfirewall=yes
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#
StrongSwan configuration file in strongswan.conf :
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc# cat strongswan.conf
# strongswan.conf – strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
# Verbosity levels
# -1: Absolutely silent
# 0: Very basic auditing logs, (e.g. SA up/SA down)
# 1: Generic control flow with errors, a good default to see whats going on
# 2: More detailed debugging control flow
# 3: Including RAW data dumps in Hex
# 4: Also include sensitive material in dumps, e.g. keys
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
charon {
path = /var/log/charon.log
time_format = %b %e %T
append = no
default = 0 # in case troubleshoot is required switch this to 2
}
stderr {
ike = 1 # in case troubleshoot is required switch this to 2
knl = 1 # in case troubleshoot is required switch this to 3
ike_name = yes
}
}
syslog {
# enable logging to LOG_DAEMON, use defaults
daemon {
}
# minimalistic IKE auditing logging to LOG_AUTHPRIV
auth {
default = 1 # in case troubleshoot is required switch this to 2
ike = 1 # in case troubleshoot is required switch this to 2
}
}
}
include strongswan.d/*.conf
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#
The final partial connection status:
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc# ipsec restart; sleep 2; ipsec statusall
Stopping strongSwan IPsec…
Starting strongSwan 5.9.0 IPsec [starter]…
Status of IKE charon daemon (strongSwan 5.9.0, Linux 2.6.36.4brcmarm, armv7l):
uptime: 2 seconds, since Oct 24 00:04:31 2020
malloc: sbrk 815104, mmap 0, used 380552, free 434552
worker threads: 6 of 16 idle, 6/0/4/0 working, job queue: 0/0/0/0, scheduled: 18
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default socket-dynamic farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
192.168.0.16
10.1.1.1
Connections:
remote-to-asus: 192.168.0.16…192.168.0.6 IKEv2, dpddelay=30s
remote-to-asus: local: [192.168.0.16] uses pre-shared key authentication
remote-to-asus: remote: [123.123.123.123] uses pre-shared key authentication
remote-to-asus: child: dynamic === dynamic TUNNEL, dpdaction=clear
asus-to-remote: 192.168.0.16…192.168.0.6 IKEv2, dpddelay=30s
asus-to-remote: local: [100.100.100.100] uses pre-shared key authentication
asus-to-remote: remote: [192.168.0.16] uses pre-shared key authentication
asus-to-remote: child: dynamic === dynamic TUNNEL, dpdaction=clear
azure-s2s: 192.168.0.16…100.100.100.100 IKEv2, dpddelay=30s
azure-s2s: local: [192.168.0.16] uses pre-shared key authentication
azure-s2s: remote: [100.100.100.100] uses pre-shared key authentication
azure-s2s: child: 192.168.0.0/24 10.0.0.0/24 10.1.0.0/24 10.2.0.0/24 10.3.0.0/24 === 10.10.0.0/24 10.10.10.0/24 10.10.20.0/24 10.10.30.0/24 TUNNEL, dpdaction=clear
Security Associations (2 up, 0 connecting):
asus-to-remote[4]: ESTABLISHED 2 seconds ago, 192.168.0.16[100.100.100.100]…192.168.0.6[192.168.0.16]
asus-to-remote[4]: IKEv2 SPIs: c8279d8c3663f863_i 35c4da0512fcbaeb_r*, pre-shared key reauthentication in 7 hours
asus-to-remote[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
azure-s2s[3]: ESTABLISHED 2 seconds ago, 192.168.0.16[192.168.0.16]…100.100.100.100[100.100.100.100]
azure-s2s[3]: IKEv2 SPIs: c8279d8c3663f863_i* 35c4da0512fcbaeb_r, pre-shared key reauthentication in 7 hours
azure-s2s[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc# ipsec status
Security Associations (2 up, 0 connecting):
asus-to-remote[4]: ESTABLISHED 6 seconds ago, 192.168.0.16[100.100.100.100]…192.168.0.6[192.168.0.16]
azure-s2s[3]: ESTABLISHED 6 seconds ago, 192.168.0.16[192.168.0.16]…100.100.100.100[100.100.100.100]
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#
Shared secret file:
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc# cat ipsec.secrets
# /etc/ipsec.secrets – strongSwan IPsec secrets file
123.123.123.123 100.100.100.100 : PSK "ym9mK2Mpr6nEVGZG"
192.168.0.6 192.168.0.16 : PSK "ym9mK2Mpr6nEVGZG"
192.168.0.16 192.168.0.6 : PSK "ym9mK2Mpr6nEVGZG"
admin@ASUS-MERLIN-INTERNET:/tmp/mnt/sda/entware/etc#
The setup was not without issues. Here are some of the most common messages I encountered and how I solved them. The key to configuring IPSEC / StrongSwan was in understanding the various messages in the log, what they mean and what was expected. The pieces came together once I fully understood the second message.
